Erxes

3 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2024-57190 CRITICAL POC PATCH Act Now

Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.

Authentication Bypass Erxes
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-57189 MEDIUM POC PATCH This Month

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-57186 MEDIUM POC PATCH This Month

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-57190
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.

Authentication Bypass Erxes
NVD GitHub
CVE-2024-57189
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

Path Traversal Erxes
NVD GitHub
CVE-2024-57186
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Path Traversal Erxes
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy